weblogic.management.configuration
Interface SecurityConfigurationMBean

All Superinterfaces:

ConfigurationMBean

public interface SecurityConfigurationMBean
extends ConfigurationMBean

Provides domain-wide security configuration information.

Deprecation of MBeanHome and Type-Safe Interfaces

This is a type-safe interface for a WebLogic Server MBean, which you can import into your client classes and access through weblogic.management.MBeanHome. As of 9.0, the MBeanHome interface and all type-safe interfaces for WebLogic Server MBeans are deprecated. Instead, client classes that interact with WebLogic Server MBeans should use standard JMX design patterns in which clients use the javax.management.MBeanServerConnection interface to discover MBeans, attributes, and attribute types at runtime.

Since:

7.0.0.0

Field Summary

Fields inherited from interface weblogic.management.configuration.ConfigurationMBean

DEFAULT_EMPTY_BYTE_ARRAY

Method Summary

RealmMBean	createRealm() Creates a realm.
RealmMBean	createRealm(String name) Creates a realm.
void	destroyRealm(RealmMBean realm) Destroys a realm.
RealmMBean	findDefaultRealm() Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean.getDefaultRealm()
RealmMBean	findRealm(String realmDisplayName) Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean.lookupRealm(java.lang.String)
RealmMBean[]	findRealms() Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean.getRealms()
byte[]	generateCredential() Generates a new encrypted byte array which can be use when calling #setCredentialEncrypted
CertRevocMBean	getCertRevoc() Determines the domain's X509 certificate revocation checking configuration.
boolean	getCompatibilityConnectionFiltersEnabled() Specifies whether this WebLogic Server domain enables compatiblity with previous connection filters.
String	getConnectionFilter() The name of the Java class that implements a connection filter (that is, the weblogic.security.net.ConnectionFilter interface).
String[]	getConnectionFilterRules() The rules used by any connection filter that implements the ConnectionFilterRulesListener interface.
boolean	getConnectionLoggerEnabled() Specifies whether this WebLogic Server domain should log accepted connections.
RealmMBean	getDefaultRealm() Returns the default security realm or null if no realm has been selected as the default security realm.
boolean	getDowngradeUntrustedPrincipals() Whether or not to downgrade to anonymous principals that cannot be verified.
boolean	getEnforceStrictURLPattern() Whether or not the system should enforce strict URL pattern or not.
boolean	getEnforceValidBasicAuthCredentials() Whether or not the system should allow requests with invalid Basic Authentication credentials to access unsecure resources.
String[]	getExcludedDomainNames() Specifies a list of remote domains for which cross-domain check should not be applied.
String	getNodeManagerPassword() The password that the Administration Server uses to communicate with Node Manager when starting, stopping, or restarting Managed Servers.
byte[]	getNodeManagerPasswordEncrypted() The password that the Administration Server passes to a Node Manager when it instructs the Node Manager to start, stop, or restart Managed Servers.
String	getNodeManagerUsername() The user name that the Administration Server uses to communicate with Node Manager when starting, stopping, or restarting Managed Servers.
RealmMBean[]	getRealms() Returns all the realms in the domain.
String	getWebAppFilesCaseInsensitive() This property defines the case sensitive URL-pattern matching behavior for security constraints, servlets, filters, virtual-hosts, and so on, in the Web application container and external security policies.
boolean	isAnonymousAdminLookupEnabled() Returns true if anonymous JNDI access for Admin MBean home is permitted.
boolean	isClearTextCredentialAccessEnabled() Returns true if allow access to credential in clear text.
boolean	isConsoleFullDelegationEnabled() Indicates whether the console is enabled for fully delegate authorization.
boolean	isCrossDomainSecurityEnabled() Indicates whether or not cross-domain security is enabled
boolean	isPrincipalEqualsCaseInsensitive() Specifies whether the WebLogic Server principal name is compared using a case insensitive match when the equals method for the principal object is performed.
boolean	isPrincipalEqualsCompareDnAndGuid() Specifies whether the GUID and DN data in a WebLogic Server principal object are used when the equals method of that object is invoked.
RealmMBean	lookupRealm(String name) Finds a realm given it's name.
void	setAnonymousAdminLookupEnabled(boolean permit) Permits anonymous JNDI access to get the Admin MBean home.
void	setClearTextCredentialAccessEnabled(boolean enabled) Allow access to clear-text password.
void	setCompatibilityConnectionFiltersEnabled(boolean compatibility)
void	setConnectionFilter(String filter)
void	setConnectionFilterRules(String[] filterList)
void	setConnectionLoggerEnabled(boolean logging)
void	setConsoleFullDelegationEnabled(boolean enabled) Enables the console to operate with fully delegate authorization.
void	setCredential(String credential) As of 8.1 sp4, this method does the following:
void	setCredentialEncrypted(byte[] bytes) Encrypts and sets the value of the CredentialEncrypted attribute.
void	setCrossDomainSecurityEnabled(boolean enabled) Turns on/off the cross-domain security.
void	setDefaultRealm(RealmMBean defaultRealm) Sets the default security realm.
void	setDowngradeUntrustedPrincipals(boolean downgrade)
void	setEnforceStrictURLPattern(boolean enforceStrictURLPattern)
void	setEnforceValidBasicAuthCredentials(boolean allow)
void	setExcludedDomainNames(String[] remoteDomains) Specifies a list of remote domains for which cross-domain check should not be applied.
void	setNodeManagerPassword(String password) Sets the value of the NodeManagerPassword attribute.
void	setNodeManagerPasswordEncrypted(byte[] bytes) Sets the value of the NodeManagerPassword attribute.
void	setNodeManagerUsername(String username) Sets the node manager username for the domain.
void	setPrincipalEqualsCaseInsensitive(boolean principalEqualsCaseInsensitive) Sets the value of the PrincipalEqualsCaseInsensitive attribute.
void	setPrincipalEqualsCompareDnAndGuid(boolean principalEqualsCompareDnAndGuid) Sets the value of the UseGUIDandDNinEqual attribute.
void	setWebAppFilesCaseInsensitive(String caseInsensitive) Sets the value for the WebAppFilesCaseInsensitive.

Methods inherited from interface weblogic.management.configuration.ConfigurationMBean

freezeCurrentValue, getName, getNotes, isSet, restoreDefaultValue, setComments, setDefaultedMBean, setName, setNotes, setPersistenceEnabled, unSet

Method Detail

createRealm

RealmMBean createRealm(String name)
                       throws JMException

Creates a realm.

Parameters:

name - - The name of this realm, for example, myrealm

Throws:

JMException

createRealm

RealmMBean createRealm()
                       throws JMException

Creates a realm.

Parameters:

name - a String containing the realm's name. This name must be unique among all realms in the domain. If the name can be converted to a JMX object name, then it is used as the provider's JMX object name. The encouraged convention is: "Security:Name=realmDisplayName". For example: "Security:Name=myrealm".

displayName - a String containing the realm's display name (ie. the name that will be displayed in the console).

Throws:

JMException

destroyRealm

void destroyRealm(RealmMBean realm)

Destroys a realm. This does not destroy its providers or its user lockout manager.

getRealms

RealmMBean[] getRealms()

Returns all the realms in the domain.

lookupRealm

RealmMBean lookupRealm(String name)

Finds a realm given it's name. The name is often its JMX object name (e.g. Security:Name=myrealm)

findRealms

RealmMBean[] findRealms()

Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean.getRealms()

Returns all the realms in the domain.

All security roles can access this item.

findDefaultRealm

RealmMBean findDefaultRealm()

Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean.getDefaultRealm()

Finds the default security realm. Returns null if a default security realm is not defined.

All security roles can access this item.

findRealm

RealmMBean findRealm(String realmDisplayName)

Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean.lookupRealm(java.lang.String)

Finds a realm by name (that is, by the display name of the realm). Returns null no realm with that name has been defined. Throws a configuration error if there are multiple matches.

Parameters:

realmDisplayName - A String containing the realm's display name.

All security roles can access this item.

getDefaultRealm

RealmMBean getDefaultRealm()

Returns the default security realm or null if no realm has been selected as the default security realm.

setDefaultRealm

void setDefaultRealm(RealmMBean defaultRealm)
                     throws InvalidAttributeValueException

Sets the default security realm.

Parameters:

realm - The new default realm. Use null to specify that there is no default realm.

Throws:

InvalidAttributeValueException

isAnonymousAdminLookupEnabled

boolean isAnonymousAdminLookupEnabled()

Returns true if anonymous JNDI access for Admin MBean home is permitted. This is overridden by the Java property -Dweblogic.management.anonymousAdminLookupEnabled.

Returns:

true if anonymous access is allowed, false otherwise

Default Value:

false

setAnonymousAdminLookupEnabled

void setAnonymousAdminLookupEnabled(boolean permit)

Permits anonymous JNDI access to get the Admin MBean home.

Parameters:

permit - The new value.

See Also:

SecurityConfigurationMBean.isAnonymousAdminLookupEnabled()

isClearTextCredentialAccessEnabled

boolean isClearTextCredentialAccessEnabled()

Returns true if allow access to credential in clear text. This can be overridden by the system property -Dweblogic.management.clearTextCredentialAccessEnabled

Returns:

true if allow access to clear-text password, false otherwise

Changes take effect after you redeploy the module or restart the server.

Default Value:

false

setClearTextCredentialAccessEnabled

void setClearTextCredentialAccessEnabled(boolean enabled)

Allow access to clear-text password.

Parameters:

enabled - The new value.

See Also:

SecurityConfigurationMBean.isClearTextCredentialAccessEnabled()

generateCredential

byte[] generateCredential()

Generates a new encrypted byte array which can be use when calling #setCredentialEncrypted

Returns:

a new encrypted byte array suitable for use as a domain credential.

setCredential

void setCredential(String credential)
                   throws InvalidAttributeValueException

As of 8.1 sp4, this method does the following:

1. Encrypts the parameter value.
2. Sets the value of the CredentialEncrypted attribute to the encrypted parameter value.

Parameters:

credential - The new credential value

Throws:

InvalidAttributeValueException

See Also:

SecurityConfigurationMBean.getCredential(), SecurityConfigurationMBean.setCredentialEncrypted(byte[] bytes)

setCredentialEncrypted

void setCredentialEncrypted(byte[] bytes)
                            throws InvalidAttributeValueException

Encrypts and sets the value of the CredentialEncrypted attribute.

Parameters:

bytes - The new credential value as a byte array.

Throws:

InvalidAttributeValueException

See Also:

SecurityConfigurationMBean.getCredentialEncrypted()

getWebAppFilesCaseInsensitive

String getWebAppFilesCaseInsensitive()

This property defines the case sensitive URL-pattern matching behavior for security constraints, servlets, filters, virtual-hosts, and so on, in the Web application container and external security policies. Note: This is a Windows-only flag that is provided for backward compatibility when upgrading from pre-9.0 versions of WebLogic Server. On Unix platforms, setting this value to true causes undesired behavior and is not supported. When the value is set to os, the pattern matching will be case- sensitive on all platforms except the Windows file system. Note that on non-Windows file systems, WebLogic Server does not enforce case sensitivity and relies on the file system for optimization. As a result, if you have a Windows Samba mount from Unix or Mac OS that has been installed in case-insensitive mode, there is a chance of a security risk. If so, specify case-insensitive lookups by setting this attribute to true. Note also that this property is used to preserve backward compatibility on Windows file systems only. In prior releases, WebLogic Server was case- insensitive on Windows. As of WebLogic Server 9.0, URL-pattern matching is strictly enforced. During the upgrade of older domains, the value of this parameter is explicitly set to os by the upgrade plug-in to preserve backward compatibility.

Default Value:

"false"

Valid Values:

"os", "true", "false"

setWebAppFilesCaseInsensitive

void setWebAppFilesCaseInsensitive(String caseInsensitive)
                                   throws InvalidAttributeValueException

Sets the value for the WebAppFilesCaseInsensitive.

Parameters:

caseInsensitive - The new value caseInsensitive.

Throws:

InvalidAttributeValueException

See Also:

SecurityConfigurationMBean.getWebAppFilesCaseInsensitive()

getConnectionFilter

String getConnectionFilter()

The name of the Java class that implements a connection filter (that is, the weblogic.security.net.ConnectionFilter interface). If no class name is specified, no connection filter will be used.

This attribute replaces the deprecated ConnectionFilter attribute on the SecurityMBean.

Since:

9.0.0.0

Default Value:

null

setConnectionFilter

void setConnectionFilter(String filter)
                         throws InvalidAttributeValueException

Throws:

InvalidAttributeValueException

getConnectionFilterRules

String[] getConnectionFilterRules()

The rules used by any connection filter that implements the ConnectionFilterRulesListener interface. When using the default implementation and when no rules are specified, all connections are accepted. The default implementation rules are in the format: target localAddress localPort action protocols.

This attribute replaces the deprecated ConnectionFilterRules attribute on the SecurityMBean.

Since:

9.0.0.0

Changes take effect after you redeploy the module or restart the server.

Default Value:

null

setConnectionFilterRules

void setConnectionFilterRules(String[] filterList)

getConnectionLoggerEnabled

boolean getConnectionLoggerEnabled()

Specifies whether this WebLogic Server domain should log accepted connections.

This attribute can be used by a system administrator to dynamically check the incoming connections in the log file to determine if filtering needs to be performed.

This attribute replaces the deprecated ConnectionLoggerEnabled attribute on the SecurityMBean.

Since:

9.0.0.0

Changes take effect after you redeploy the module or restart the server.

Default Value:

false

setConnectionLoggerEnabled

void setConnectionLoggerEnabled(boolean logging)
                                throws InvalidAttributeValueException

Throws:

InvalidAttributeValueException

getCompatibilityConnectionFiltersEnabled

boolean getCompatibilityConnectionFiltersEnabled()

Specifies whether this WebLogic Server domain enables compatiblity with previous connection filters.

This attribute changes the protocols names used when filtering needs to be performed.

Since:

9.0.0.0

Changes take effect after you redeploy the module or restart the server.

Default Value:

false

setCompatibilityConnectionFiltersEnabled

void setCompatibilityConnectionFiltersEnabled(boolean compatibility)
                                              throws InvalidAttributeValueException

Throws:

InvalidAttributeValueException

getNodeManagerUsername

String getNodeManagerUsername()

The user name that the Administration Server uses to communicate with Node Manager when starting, stopping, or restarting Managed Servers.

Returns:

the username value

Since:

9.0.0.0

Changes take effect after you redeploy the module or restart the server.

Default Value:

""

setNodeManagerUsername

void setNodeManagerUsername(String username)

Sets the node manager username for the domain.

Parameters:

username - the new username value

Since:

9.0.0.0

See Also:

SecurityConfigurationMBean.getNodeManagerUsername()

getNodeManagerPassword

String getNodeManagerPassword()

The password that the Administration Server uses to communicate with Node Manager when starting, stopping, or restarting Managed Servers.

When you get the value of this attribute, WebLogic Server does the following:

1. Retrieves the value of the NodeManagerPasswordEncrypted attribute.
2. Decrypts the value and returns the unencrypted password as a String.

When you set the value of this attribute, WebLogic Server does the following:

1. Encrypts the value.
2. Sets the value of the NodeManagerPasswordEncrypted attribute to the encrypted value.

Using this attribute (NodeManagerPassword) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.

Instead of using this attribute, you should use NodeManagerPasswordEncrypted.

Returns:

the password value

Since:

9.0.0.0

See Also:

SecurityConfigurationMBean.getNodeManagerPasswordEncrypted()

setNodeManagerPassword

void setNodeManagerPassword(String password)

Sets the value of the NodeManagerPassword attribute.

Parameters:

password - the new password value

Since:

9.0.0.0

See Also:

SecurityConfigurationMBean.getNodeManagerPassword(), SecurityConfigurationMBean.setNodeManagerPasswordEncrypted(byte[])

getNodeManagerPasswordEncrypted

byte[] getNodeManagerPasswordEncrypted()

The password that the Administration Server passes to a Node Manager when it instructs the Node Manager to start, stop, or restart Managed Servers.

To set this attribute, use weblogic.management.EncryptionHelper.encrypt() to encrypt the value. Then set this attribute to the output of the encrypt() method.

To compare a password that a user enters with the encrypted value of this attribute, go to the same WebLogic Server instance that you used to set and encrypt this attribute and use weblogic.management.EncryptionHelper.encrypt() to encrypt the user-supplied password. Then compare the encrypted values.

Returns:

the password value

Since:

9.0.0.0

Changes take effect after you redeploy the module or restart the server.

Default Value:

"".getBytes()

setNodeManagerPasswordEncrypted

void setNodeManagerPasswordEncrypted(byte[] bytes)

Sets the value of the NodeManagerPassword attribute.

Parameters:

password - the new password value

Since:

9.0.0.0

See Also:

#getNodeManagerPasswordEncrytped()

isPrincipalEqualsCaseInsensitive

boolean isPrincipalEqualsCaseInsensitive()

Specifies whether the WebLogic Server principal name is compared using a case insensitive match when the equals method for the principal object is performed.

If this attribute is enabled, matches are case insensitive.

Note: Note that principal comparison is not used by the WebLogic Security Service to determine access to protected resources. This attribute is intended for use with JAAS authorization, which may require case insensitive principal matching behavior.

Returns:

true if use case insensitive match, false otherwise

Changes take effect after you redeploy the module or restart the server.

Default Value:

false

setPrincipalEqualsCaseInsensitive

void setPrincipalEqualsCaseInsensitive(boolean principalEqualsCaseInsensitive)

Sets the value of the PrincipalEqualsCaseInsensitive attribute.

Parameters:

caseInsensitivePrincipalMatch -

See Also:

#isCaseInsensitivePrincipalMatch()

isPrincipalEqualsCompareDnAndGuid

boolean isPrincipalEqualsCompareDnAndGuid()

Specifies whether the GUID and DN data in a WebLogic Server principal object are used when the equals method of that object is invoked.

If enabled, the GUID and DN data (if included among the attributes in a WebLogic Server principal object) and the principal name are compared when this method is invoked.

Returns:

true if use guid and dn in equal compararison, false otherwise

Changes take effect after you redeploy the module or restart the server.

Default Value:

false

setPrincipalEqualsCompareDnAndGuid

void setPrincipalEqualsCompareDnAndGuid(boolean principalEqualsCompareDnAndGuid)

Sets the value of the UseGUIDandDNinEqual attribute.

Parameters:

useGUIDandDNinPrincipalEqual -

See Also:

#isUseGUIDandDNinPrincipalEqual

getDowngradeUntrustedPrincipals

boolean getDowngradeUntrustedPrincipals()

Whether or not to downgrade to anonymous principals that cannot be verified. This is useful for server-server communication between untrusted domains.

Returns:

the DowngradeUntrustedPrincipals value

Since:

9.0.0.0

Default Value:

false

setDowngradeUntrustedPrincipals

void setDowngradeUntrustedPrincipals(boolean downgrade)

Parameters:

downgrade - the new DowngradeUntrustedPrincipals value

See Also:

SecurityConfigurationMBean.getDowngradeUntrustedPrincipals()

getEnforceStrictURLPattern

boolean getEnforceStrictURLPattern()

Whether or not the system should enforce strict URL pattern or not.

Returns:

the EnforceStrictURLPattern value

Since:

9.0.0.0

Default Value:

true

setEnforceStrictURLPattern

void setEnforceStrictURLPattern(boolean enforceStrictURLPattern)

Parameters:

enforceStrictURLPattern - the new EnforceStrictURLPattern value

See Also:

SecurityConfigurationMBean.getEnforceStrictURLPattern()

getEnforceValidBasicAuthCredentials

boolean getEnforceValidBasicAuthCredentials()

Whether or not the system should allow requests with invalid Basic Authentication credentials to access unsecure resources.

Returns:

the EnforceValidBasicAuthCredentials value

Since:

9.2

Default Value:

true

setEnforceValidBasicAuthCredentials

void setEnforceValidBasicAuthCredentials(boolean allow)

Parameters:

allow - the new EnforceValidBasicAuthCredentials value

See Also:

SecurityConfigurationMBean.getEnforceValidBasicAuthCredentials()

isConsoleFullDelegationEnabled

boolean isConsoleFullDelegationEnabled()

Indicates whether the console is enabled for fully delegate authorization.

Returns:

true if the console is enabled for fully delegate authorization

Since:

9.2.0.0

Default Value:

false

setConsoleFullDelegationEnabled

void setConsoleFullDelegationEnabled(boolean enabled)

Enables the console to operate with fully delegate authorization.

Parameters:

enabled - the new console full delegation value

Since:

9.2.0.0

See Also:

SecurityConfigurationMBean.isConsoleFullDelegationEnabled()

getExcludedDomainNames

String[] getExcludedDomainNames()

Specifies a list of remote domains for which cross-domain check should not be applied.

Returns:

An array of Strings

Since:

10.0

setExcludedDomainNames

void setExcludedDomainNames(String[] remoteDomains)

Specifies a list of remote domains for which cross-domain check should not be applied. Sets the list of remote domain names that are to be excluded from the cross-domain checks.

Parameters:

Array - of Strings of all the domain names to be excluded.

isCrossDomainSecurityEnabled

boolean isCrossDomainSecurityEnabled()

Indicates whether or not cross-domain security is enabled

Returns:

returns a boolean value

Default Value:

false

setCrossDomainSecurityEnabled

void setCrossDomainSecurityEnabled(boolean enabled)

Turns on/off the cross-domain security.

Parameters:

boolean - value to indicate whether or not cross domain security is enabled via the use of credential mapper.

Default Value:

false

getCertRevoc

CertRevocMBean getCertRevoc()

Determines the domain's X509 certificate revocation checking configuration.

A CertRevocMBean is always associated with a domain's security configuration and cannot be changed, although CertRevocMBean attributes may be changed as documented.

Returns:

The associated CertRevocMBean.